Hi Olga Based on Jeff's post Are there some NFS-client side flags that need to be set by the sys-admins to have the state-operations performed by the machine credential ? Are there any server-side requirements that must be fulfilled so that the correct behavior is negotiated between client and server ? What versions of the client ( RHEL-7 , 8 ..) support this behavior ( state-ops performed by machine credential ) What versions of NFS ( 4.0, 4.1 .... ) support / mandate this behavior Thanks Again If any of you plan on visiting Illinois soon, I owe you lunch ! Andy > > Here's the paragraph of the spec stating that things like CLOSE must be allowed: > > In cases where the server's security policies on a portion of its > namespace require RPCSEC_GSS authentication, a client may have to use > an RPCSEC_GSS credential to remove per-file state (e.g., LOCKU, CLOSE, > etc.). The server may require that the principal that removes the > state match certain criteria (e.g., the principal might have to be the > same as the one that acquired the state). However, the client might > not have an RPCSEC_GSS context for such a principal, and might not be > able to create such a context (perhaps because the user has logged > off). When the client establishes SP4_MACH_CRED or SP4_SSV protection, > it can specify a list of operations that the server MUST allow using > the machine credential (if SP4_MACH_CRED is used) or the SSV > credential (if SP4_SSV is used). > > If the NAS vendor is disallowing it then they are in the wrong. >
